WEBVTT

00:00.390 --> 00:05.130
Man in the middle attacks are a big issue in today's I.T. Security world.

00:05.130 --> 00:09.090
So that's what we're going to be doing in this episode Now first of all let's make sure we know what

00:09.090 --> 00:14.430
a man in the middle attack is on the Internet on any TCAP IP network.

00:14.460 --> 00:18.430
You have some type of communication going on between two computers.

00:18.540 --> 00:26.760
You might have a web browser or access to a web page or an S-sh client accessing an S-sh server or a

00:26.790 --> 00:29.760
computer accessing some shared folders on another computer.

00:29.760 --> 00:35.990
It doesn't matter what's going on in terms of protocol and application in almost every situation.

00:36.060 --> 00:42.600
We have this session going on between two computers and a man in the middle attack is simply a third

00:42.600 --> 00:48.420
party that's sneaking in between these two conversations and doing whatever you will they're going to

00:48.420 --> 00:48.740
do.

00:48.750 --> 00:53.280
So when we're talking about a man in the middle attack there are two big parts to it.

00:53.280 --> 00:55.830
Number one you have to get in the middle.

00:55.930 --> 01:01.240
So that's going to depend on the technology and how that's going to work we're going to get into that.

01:01.260 --> 01:07.110
The second issue is as OK now that you're in the stream now that you're in the middle of that conversation

01:07.350 --> 01:08.580
what are you going to do about it.

01:08.580 --> 01:13.440
So to help us out what I would do is give you a kind of a set up and that's why I got all these computers

01:13.440 --> 01:14.450
here forked out.

01:14.520 --> 01:18.360
If we take a look over here what I have are two virtual machines.

01:18.550 --> 01:26.700
So if we take a look here you'll see this machine right here is running Windows 8 it's on 182 168 1.1

01:26.710 --> 01:27.540
90.

01:27.870 --> 01:34.460
And then over here is a Windows 10 machine and it's on 182 168 1. 146.

01:34.470 --> 01:38.790
You'll notice that it's 192 168 went out one for a default gateway.

01:38.790 --> 01:41.970
So what I have is this little router right here.

01:42.030 --> 01:49.470
This little home router he has a DHC server passing out 192 168 runs and he's going to be acting as

01:49.470 --> 01:53.460
our gateway now in this particular episode.

01:53.460 --> 01:57.500
What I want to do is keep things a little bit simpler so we're going to just all be on one network.

01:57.750 --> 01:59.940
But the fun part is is over here.

01:59.940 --> 02:05.290
What I'm running on this laptop is a very famous Linux distribution called Cali.

02:05.430 --> 02:11.430
So Cali is kind of like your best friend when it comes to all kinds of fun security things.

02:11.430 --> 02:14.600
It's just a big pile of fun toys all in one big piece.

02:14.670 --> 02:19.730
So if you take a look right here right now I don't have anything excited running on it other than this.

02:19.800 --> 02:29.610
So you can see that it is also on our network it's one into $161 1 0 7 and I can talk to both the router

02:29.700 --> 02:35.520
and my two virtual machines on this box so let's go ahead and draw up what we have right there.

02:35.880 --> 02:42.150
So what we have here is we've got our two windows machines the Windows 8 machine is 1 and 2 1 6 8 1

02:42.390 --> 02:44.060
1 0 9.

02:44.070 --> 02:49.680
And then we have the Windows 10 machine which is 192 168 1.0 146.

02:50.010 --> 02:51.900
Also we've got a router in here too.

02:51.900 --> 02:55.590
So the router is going to be 182 168 1.1.

02:55.620 --> 02:57.620
He'll be passing out DHC p.

02:58.080 --> 03:04.020
We have our attack machine which is going to be this colleague Linux box and at least for right now

03:04.080 --> 03:07.220
he's won 92 168 1.1 0 7.

03:07.260 --> 03:09.320
They're all on the same network.

03:09.800 --> 03:10.390
OK.

03:10.440 --> 03:15.050
So our first job with man in the middle attacks is to get into the middle somehow.

03:15.180 --> 03:22.950
We have to be able to as the attacker see the stream as it's going back and forth between the two different

03:22.950 --> 03:23.430
systems.

03:23.430 --> 03:31.380
Now the first way to do this is a wireless network and wireless is fantastic because in a perfect unencrypted

03:31.500 --> 03:37.430
world 10:42 wireless is completely open for anybody to read anything that they want to.

03:37.440 --> 03:43.800
So I can just take a laptop like this plug in the right type of wireless network card I can set that

03:43.800 --> 03:49.380
wireless network card in promiscuous mode and I can just grab everybody's packets I can just start sniff

03:49.380 --> 03:55.020
it away as they say and capture all these packets and I can get all the information I am in essence

03:55.050 --> 03:57.450
in between the streams in a wireless network.

03:57.450 --> 04:03.300
Now 10:52 Wireless has some protections for example if you use WPA or WPA too.

04:03.480 --> 04:08.750
First of all if you're using encryption that will certainly stop that will make that a lot harder.

04:08.790 --> 04:12.140
But even with encryption there's ways to decrypt sometimes.

04:12.360 --> 04:16.040
So WPA and WPA to also have isolation.

04:16.170 --> 04:22.410
So each computer on that wireless SS ID can connect to the wireless access point but they can't see

04:22.410 --> 04:26.030
anybody else so that's very beneficial.

04:26.190 --> 04:29.640
WEP is still a bit of a problem with WPA and WPA too.

04:29.640 --> 04:32.400
You basically got end to end encryption.

04:32.400 --> 04:37.550
Unfortunately with WEP you don't so yet one more reason to stop using WEP.

04:37.620 --> 04:39.890
It doesn't just stop with ATo to 11 though.

04:39.960 --> 04:43.710
Bluetooth is also susceptible to man and middle attacks.

04:43.710 --> 04:49.530
Bluetooth does have encryption built into it but Bluetooth counts on short distances and short duration

04:49.530 --> 04:53.070
of connections to make it hard for man in the middle of attacks.

04:53.070 --> 04:58.590
The other problem child is NFC now with NFC communication.

04:58.590 --> 05:05.720
What you have is a device or a Apple Pay or whatever you might be using something you like on a smartphone

05:05.940 --> 05:10.980
and it has a chip inside of there and it also accounts for the fact that it has to be extremely close

05:11.250 --> 05:14.010
to the other side of the conversation in order to work.

05:14.010 --> 05:20.940
So we do have these issues in all types of wireless but unencrypted aero to 11 is certainly the biggest

05:20.940 --> 05:21.970
problem of all.

05:22.080 --> 05:27.790
Now if you're using wireless you're probably already got about half the battle taking care of all you

05:27.790 --> 05:31.840
need to do is get some kind of card that's going to listen for all the packets and start pulling it

05:31.840 --> 05:32.680
in.

05:32.680 --> 05:34.840
However if you're in a wired network.

05:34.900 --> 05:36.640
Things change dramatically.

05:41.630 --> 05:46.630
If you're going to do a wired van in the middle attack things get a lot trickier.

05:47.000 --> 05:54.830
In a wired network packets are sent between systems based on MAC addresses or IP addresses or some other

05:54.830 --> 05:55.970
piece of information.

05:55.970 --> 06:01.520
So if we're going to do man in the middle in Wired attacks well then we're going to have to start the

06:01.520 --> 06:03.790
magical world of spoofing.

06:03.950 --> 06:09.740
So when we talk about spoofing we're talking about making something in the attackers address look like

06:09.740 --> 06:11.330
one of the victim's addresses.

06:11.330 --> 06:20.630
So for example I could spoof MAC addresses I could in essence tell my switch that oh this computer over

06:20.630 --> 06:25.130
here is actually that MAC address send the data to that one.

06:25.130 --> 06:29.710
We could also do what we could call IP spoofing.

06:29.750 --> 06:36.020
In that case what we're doing is we're telling the one computer on the end or either computer that go

06:36.020 --> 06:40.850
ahead and send it to me and then I can send it on over to the next guy so we can use that.

06:40.880 --> 06:45.350
We can also do things like using DNS addressing to get people to go to the wrong way.

06:45.350 --> 06:51.080
So what I want to do is go ahead and play with this a little bit and to do this we're going to use a

06:51.080 --> 06:53.360
wonderful program called acap.

06:53.390 --> 06:56.620
This is an old program it's been around for a long time.

06:56.630 --> 07:03.770
It is a free program that is marketed as an end as a penetration testing tool but it's actually a lot

07:03.770 --> 07:10.780
of things all in one cap is going to allow me to do the spoofing by different functions called poisonings.

07:10.880 --> 07:16.400
And not only will it do that but will actually grab the data for me and it will look through the data

07:16.400 --> 07:18.890
to give me the type of information I want.

07:18.890 --> 07:21.050
So we're going to keep it a little bit simple here.

07:21.140 --> 07:22.840
But let's go ahead and let me show you.

07:22.840 --> 07:29.190
Can at work one of the reasons that I like Carly Linnik so much is that it comes with so many handy

07:29.190 --> 07:32.030
tools and one of those tools is cap.

07:32.040 --> 07:40.360
So let's go ahead and get that guy started up and you can see how he does such a nice job about putting

07:40.390 --> 07:49.260
everything in a nice easy way for me to find stuff.

07:49.310 --> 07:55.160
So here under sniffing and spoofing EDR cap is one of many many handy programs that go ahead and get

07:55.160 --> 07:56.110
him started up.

07:56.270 --> 08:02.030
So let's go ahead and take a minute right now and take a look at our wired setup one more time what

08:02.030 --> 08:07.190
we're going to be doing here is we're going to be doing man in the middle attacks between our router

08:07.250 --> 08:09.170
and one of the Windows systems.

08:09.170 --> 08:14.090
So what I need do is get EDR cap set up in such a way that it can do that.

08:14.180 --> 08:19.310
Our cap is designed for man in the middle so it'll do stuff like say give me who I'm attacking.

08:19.310 --> 08:23.570
On one side give me who the target is on the other and then tell me what you want to do and we'll see

08:23.570 --> 08:24.640
that in the interface.

08:28.520 --> 08:33.320
So I'm going to begin what's called Unified sniffing and what it's doing at this point is just going

08:33.320 --> 08:37.090
out onto the wired network and seeing what hosts are out there.

08:39.810 --> 08:41.750
So that usually works pretty quickly.

08:41.760 --> 08:48.460
So what I'm going to do now is I'm going to tell him OK now chew sniffed find all the hosts on this

08:48.460 --> 08:52.620
network and if we're lucky we should be able to find all of our hosts.

08:52.630 --> 08:53.710
Let's see what happens.

08:55.100 --> 09:00.690
All right so it found three hosts.

09:00.810 --> 09:02.850
So let's take a look on the host list here.

09:06.050 --> 09:06.770
And there they are.

09:06.770 --> 09:10.080
So now keep in mind the attacking machine does not show up on here.

09:10.100 --> 09:11.710
So here's my router.

09:12.050 --> 09:14.840
And here are my two windows systems.

09:15.020 --> 09:19.040
So it does a really good job of sniffing just within the tool itself.

09:19.040 --> 09:24.470
So what we're going to do now is we have to pick targets so in this case I'm going to say target one

09:24.500 --> 09:31.730
is going to be the router and I'm going to pick the Windows 8 machine.

09:31.750 --> 09:33.100
Nothing special about that.

09:33.130 --> 09:37.010
And I'm going to make that target to.

09:37.060 --> 09:41.740
So we got the program ready to do some man in the middle attacking the first thing I'm going to ask

09:41.740 --> 09:45.280
this guy to do is what we call Mac spoofing.

09:45.280 --> 09:50.890
In this case what we're going to do is we're going to lie to the switch and basically tell the switch

09:50.890 --> 09:54.570
that we are the guy in between each one of these connections.

09:54.610 --> 09:56.340
So let's go and get him started.

09:58.740 --> 10:01.040
So I'm going to tell him to go ahead and get started.

10:01.040 --> 10:06.650
I could propagate this to other switches but in this case I only have one switch that's built in to

10:06.650 --> 10:08.320
the SOHO router.

10:08.420 --> 10:12.270
So I'm just going to hit OK now.

10:12.310 --> 10:15.890
I've went ahead and started the Mac spoofing.

10:15.890 --> 10:23.290
So right now this system is sending out all kinds of traffic out onto my network and going through Mac

10:23.290 --> 10:25.920
spoofing port stealing the exact same word.

10:25.930 --> 10:28.810
The problem here is that what do you do with this data.

10:28.810 --> 10:34.810
So basically anything that's going between this router and one of my Windows systems is being sent over

10:34.810 --> 10:38.070
to this guy right here so what do you do with it.

10:38.200 --> 10:42.760
Well that is the big issue a man in the middle attacks the number one function of man in the middle

10:42.760 --> 10:49.110
attacks more than anything else is to garner data is to do data exfiltration as they say.

10:49.110 --> 10:55.520
We want to grab some of that data usernames passwords images whatever we might want to grab.

10:55.540 --> 10:58.090
So what's going to do the grabbing.

10:58.100 --> 11:00.310
Well that could be a bit of an issue.

11:00.340 --> 11:09.330
So one of the things we could use is for example wireshark so good old Wireshark.

11:09.370 --> 11:14.980
Now one of the things you're going to see right here is you see all of these arms and this is all this

11:14.980 --> 11:20.920
noise that's being generated by the attacking system and it's creating all of these what are called

11:20.920 --> 11:27.190
gratuitous ARP addresses and it's going to go ahead and confuse the geezers out of the system.

11:27.190 --> 11:31.630
So the thing you do have to watch out for is all of this noise that's going out.

11:31.660 --> 11:36.480
Any good intrusion detection system would catch this and be very very nervous.

11:36.480 --> 11:42.820
Now the other nice thing about tools like EDR cap is that EDR caps relieve you from the need of having

11:42.820 --> 11:47.290
to use things like wireshark because EDR cap is a man in the middle tool.

11:47.320 --> 11:52.930
Not only will it go ahead and do the naughtiness for us but the other thing it will do is begin looking

11:52.930 --> 11:55.060
at that data and grabbing stuff.

11:55.060 --> 12:01.150
So what I want to do is I'm going to turn off the port stealing and we're going to move it up to IP

12:01.150 --> 12:01.830
spoofing.

12:01.900 --> 12:09.090
And in this case what we're going to be doing is an art poison.

12:09.100 --> 12:16.930
Now keep in mind every IP system on a network has a cache of IP addresses to mac addresses.

12:16.930 --> 12:18.810
This is called There are cash.

12:18.850 --> 12:23.920
So when we're are poisoning what we're doing is we're going to tell our cap to start lying to the other

12:23.920 --> 12:26.260
systems and not saying anything to the switch.

12:26.320 --> 12:27.860
It lies to the other systems.

12:27.970 --> 12:33.240
So the other systems will think that a particular IP address or going to has this MAC address.

12:33.340 --> 12:38.260
What they'll end up doing is that particular IP address is going to be to the attackers address.

12:38.380 --> 12:41.140
So let's go ahead and set up our poisoning.

12:41.140 --> 12:48.910
OK so to set up our poisoning I've got my two targets and what I'm going to do now is I'm going to start

12:49.750 --> 12:51.760
a man in the middle attack.

12:51.760 --> 12:53.880
And I just go to our poison right here.

12:56.070 --> 13:01.770
And I want to sniff both of the remote connections and I could also poison one way in this case.

13:01.800 --> 13:04.300
We want to be able to grab both sides of the conversation.

13:04.350 --> 13:05.380
So I'm just going to hit.

13:05.610 --> 13:06.270
OK.

13:08.600 --> 13:11.990
This time with an R poised Let's go ahead and actually grab some traffic.

13:11.990 --> 13:17.610
So what I'm going to do is this little router has a web interface like most of these routers do.

13:17.690 --> 13:21.740
And I'm going to go to one of these windows machines and just access this router.

13:21.740 --> 13:23.310
So let's go ahead and do that.

13:27.140 --> 13:29.050
Not on the Internet so it's not going to be happy.

13:29.160 --> 13:37.740
And I know my router's address is one I do once actually 1.1.

13:37.770 --> 13:40.370
So I actually hit the router right here.

13:40.380 --> 13:42.610
Now what I need to do is log in to do anything.

13:42.630 --> 13:47.450
Anybody can see this page but if I want to make any changes it's going to force me to log in.

13:47.610 --> 13:58.340
So I'm going to type in Bips you type in the username and the password and I log in.

13:58.340 --> 13:59.810
Now let's go over here.

13:59.810 --> 14:00.890
Let's take a look at our cap.

14:00.890 --> 14:02.210
Look what's happened here.

14:02.270 --> 14:09.360
The moment I did this so let me get the right spot.

14:10.640 --> 14:16.640
So you can see the username and my password is being captured by Edgar cap.

14:16.730 --> 14:20.100
This is a great example what makes EDR cat particularly convenient.

14:20.240 --> 14:25.940
So not only does it do the poisoning for me but it also does the sniffing for me and it's also smart

14:25.940 --> 14:32.030
enough to know to look for usernames and passwords for common protocols like HTP or Telenet or something

14:32.030 --> 14:32.510
like that.

14:32.510 --> 14:38.390
So our cap is very convenient because it does everything in one package but don't think that all packages

14:38.390 --> 14:39.260
work this way.

14:39.290 --> 14:44.090
It's just convenient that it does the attacking and it does a sniffing and then it goes through the

14:44.090 --> 14:46.650
data and finds the stuff that we're looking for.

14:46.670 --> 14:49.730
Normally this would be done with separate packages.

14:49.730 --> 14:51.910
That's why I like enter cap.

14:52.030 --> 14:58.330
So there's just one example of using art poison you again are poisoning is very noisy.

14:58.390 --> 15:05.710
It's actually sending out packets to the different targets lying to them so that there are caches are

15:05.710 --> 15:06.450
confused.

15:06.460 --> 15:12.810
But that works out pretty well and it does make a big pile a mess out there unfortunately.

15:12.820 --> 15:18.930
So what I'm going to do here is I'm going to do is a D.H. piece spoofing.

15:19.240 --> 15:24.490
So I'm going to start up DHP and in essence he's going to pretend to be a DHP server and I don't want

15:24.490 --> 15:26.830
to mess with anybody's IP addresses.

15:26.830 --> 15:34.300
But what I am going to do instead is I'm going to mess with the DNS information I have to type in the

15:34.300 --> 15:38.580
net mass because that's just how the program wants me to do it.

15:38.590 --> 15:43.810
Now here I can type in any DNS server IP address so it's not going to take the default DHP it's going

15:43.810 --> 15:46.720
to take whatever I put right here so I'll make something up.

15:49.590 --> 15:51.630
So I can put anything in here.

15:51.660 --> 15:52.800
I'm going to hit OK.

15:53.740 --> 15:54.800
And now it's going to start.

15:54.880 --> 15:58.700
DHC spoofing but only changing the DNS information.

15:59.110 --> 16:04.770
So what I've done now is every system on my network that uses DHC IP.

16:04.900 --> 16:09.550
I'm not messing with its default gateway I'm not Missee with its IP address I'm not Miskin with messing

16:09.550 --> 16:12.670
with it subnet mask on doing as I'm telling them all.

16:12.700 --> 16:15.650
A new DNS server that they didn't have before.

16:15.760 --> 16:18.700
So we could do a lot of cool DNS stuff with this.

16:18.700 --> 16:20.200
Let me give you one quick example.

16:21.350 --> 16:29.570
Once we'd gone ahead and poison the DNS using the DHC tool we can in essence spoof DNS servers.

16:29.570 --> 16:35.420
So for example one of the cool things I could do here is the next time somebody opens up their web browser

16:35.420 --> 16:41.220
and they want to go to w w w dot whateva dot com.

16:41.470 --> 16:48.510
If that system doesn't know the IP address for that web server it's going to go out and send a DNS request.

16:48.520 --> 16:54.420
Now what we could do is we could have a rogue DNS server on that particular IP address.

16:54.490 --> 17:00.780
So all the systems will go to that server and that particular server can point them to someplace evil.

17:00.820 --> 17:04.110
So we could have them type in WWII Google dot com.

17:04.260 --> 17:09.790
And because their DNS servers are evil server we could send them to someplace naughty and that's just

17:09.820 --> 17:15.980
one example of evil things you can do with DNS poisoning.

17:16.150 --> 17:20.940
Now the exam covers a few other things that are kind of man in the middle a type of attacks.

17:20.950 --> 17:22.340
But in my opinion they're not.

17:22.420 --> 17:24.420
But we're just going to go ahead mention them here.

17:24.420 --> 17:30.910
Anyway one of the things that we run into is what we call you are highjacking better known as typo squatting.

17:30.910 --> 17:37.540
Now what we're talking about here is if somebody has a Web site like Google and then somebody goes ahead

17:37.570 --> 17:43.000
and gets the domain g o g g e l get the idea.

17:43.000 --> 17:48.810
So because someone does a typo they will in essence be directed to someone else's site.

17:48.850 --> 17:53.680
It's not really injecting yourself in the middle of a conversation it's just deflecting somebody to

17:53.680 --> 17:54.760
another place.

17:54.880 --> 17:59.950
But it is considered man in the middle so we're going to go ahead and bring that up as well.

17:59.950 --> 18:07.270
So the other issue you can run into is called Domain highjacking domain highjacking is simply somebody

18:07.270 --> 18:09.100
doesn't keep a domain updated.

18:09.100 --> 18:10.300
I've done this myself.

18:10.360 --> 18:12.610
I have so many you are Elle's that I keep around.

18:12.850 --> 18:18.040
And there was a domain I had for a long time and I just forgot to read up the domain the domain ran

18:18.040 --> 18:22.630
out and somebody grabbed it really really quick and put a whole bunch of offensive material on there

18:22.930 --> 18:27.250
and they said well we'll sell it back to you for a lot of money and I had to pay because it was really

18:27.250 --> 18:28.950
really offensive.

18:28.970 --> 18:35.790
Now everything we've talked about so far is simply ways to get to a stream.

18:35.800 --> 18:40.340
As a man in the middle attack we've had some reference to some of the things we can do.

18:40.450 --> 18:44.100
And one of the things we do is we scrape data and we try to get information.

18:44.170 --> 18:48.520
And we saw that with EDR cap but there's some other stuff you can do so let's just take a moment to

18:48.520 --> 18:56.780
talk about what can we do once we're in the stream.

18:56.910 --> 19:01.230
So you would think the most perfect thing you could always do with man in the middle attacks is simply

19:01.230 --> 19:02.600
grab the data and look at it.

19:02.610 --> 19:04.220
Well that is good.

19:04.230 --> 19:05.970
And that's something we'd like to do a lot.

19:06.090 --> 19:10.560
But the other thing you can do is do something what's called a replay attack.

19:10.710 --> 19:14.450
This tends to be more convenient for secure communications.

19:14.460 --> 19:20.390
So for example I've got some type of secure communication protocol between two systems.

19:20.400 --> 19:22.560
I'm not interested in reading their data.

19:22.560 --> 19:26.760
What I'm interested in is getting the username and password now I'm not going to able to get their password.

19:26.880 --> 19:31.970
But the client in one particular example could be sending out a username and a hash.

19:32.040 --> 19:38.220
And if I get the username and a hash I have all the information so that later I can replay that over

19:38.220 --> 19:41.420
to the server and log in as that person anytime I want.

19:41.430 --> 19:47.130
That's the big danger to replay attacks once you get that information you can keep logging in as many

19:47.130 --> 19:52.200
times as you want to do whatever you need to do replay attacks even get into the world of certificates

19:52.230 --> 19:52.920
as well.

19:52.980 --> 19:57.240
You can do a lot of interesting things with that but I'm going to save all of that type of information

19:57.480 --> 20:01.090
for other episodes that specify exactly web pages.

20:01.100 --> 20:02.710
So hang on to that one.

20:02.820 --> 20:05.950
The other thing we can do is what's known as a downgrade attack.

20:05.970 --> 20:09.250
This is particularly useful for things like web pages.

20:09.270 --> 20:14.970
We've had a lot of different types of protocols starting with good old SSL and different versions of

20:14.970 --> 20:17.680
T.L. s and each one is better than the next.

20:17.700 --> 20:22.920
But if I can make a client talk to a web server and go look I want a secure web page but I can only

20:22.920 --> 20:24.150
do SSL.

20:24.150 --> 20:27.330
That makes it a lot weaker than the more advanced VLSI version.

20:27.330 --> 20:32.430
So if we have a web server that allows that to happen we can take advantage of that via what's known

20:32.430 --> 20:33.850
as a downgrade attack.

20:34.200 --> 20:40.230
Now the last thing I want to talk about is called session highjacking session highjacking basically

20:40.230 --> 20:42.960
means two people are already talking.

20:42.960 --> 20:44.150
They're already up and running.

20:44.160 --> 20:49.920
They're communicating what I'm going to do is get in the middle of that communication and I'm going

20:49.920 --> 20:54.530
to inject information in there and I'm going to be able to do naughty things now.

20:54.720 --> 21:01.470
Session hijacking is a incredibly difficult tool to use because what you have to do is take advantage

21:01.470 --> 21:04.010
of a real time connection that's taking place right now.

21:04.170 --> 21:08.760
However there is a great simplified version of that and it's been around for years and years and it's

21:08.760 --> 21:09.930
called Fire sheep.

21:10.020 --> 21:12.690
So here's a picture of fire sheep right here.

21:12.690 --> 21:18.370
All fire sheep does is it uses on unencrypted wireless connections.

21:18.400 --> 21:23.070
It performs a session hijack and literally connects into whatever is taking place.

21:23.070 --> 21:25.530
So here's a Facebook page that's being loaded.

21:25.560 --> 21:29.910
And since I've already logged in I've just caught in the middle of the session I've gone ahead and hijacked

21:29.910 --> 21:30.000
it.

21:30.000 --> 21:31.680
I could even make changes to it.

21:32.820 --> 21:36.780
So when it comes to a man in the middle attack remember there's always going to be two parts to the

21:36.780 --> 21:37.290
equation.

21:37.290 --> 21:40.390
Number one what are you going to do to get into the stream.

21:40.500 --> 21:44.310
And then number two what are you going to do with that data once you've got it.

21:44.310 --> 21:46.950
There are two separate issues and they're handled quite differently

21:54.260 --> 21:58.030
in.